Bugs & Fixes: Mac Defender strikes again; Apple fights back

The Mac Defender Trojan Horse phishing scam was back in the news this week. Twice.

First, a more virulent variation of the malware was detected. In this latest iteration, the phony program is named MacGuard. The new wrinkle is that it doesn’t require an administrator’s password to install. This means that any user on a Mac has the authority to install the malware. Of course, unless said user also had a credit card number to offer, this does not significantly alter the risk.

Second, a new Apple support article revealed that Apple is working on an update to Mac OS X (presumably 10.6.8) that will “automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”

The support article went on to offer recommendations on how to remove the malware if you inadvertently fall victim to this scam prior to the release of 10.6.8.

Meanwhile, a prior report (unconfirmed by Apple) cited an internal Apple memo advising AppleCare employees not to “confirm or deny whether the customer’s Mac is infected (by the malware) or not.” Not surprisingly, critics jumped all over this. For example, Infoworld’s Robert X. Cringely lamented that this was yet another example of Apple being “arrogant beyond belief and helpful only when forced into a corner.”

My view is more benign. While I wish Apple had been more helpful out-of-the-gate, I can understand Apple’s reluctance to offer advice over the phone—potentially leading to making a bad situation worse if instructions are not correctly followed—before Apple fully understood what they were dealing with. In a worst case scenario, I could see Apple exposed to a lawsuit, with users seeking to recover damages incurred by Apple’s supposed “bad” advice. Regardless, Apple has apparently concluded its investigation and has responded in an appropriate manner.

How will Apple’s update work?

I was especially intrigued by the promised specificity of Apple’s upcoming fix. It is one of the very few times that Apple has included code in Mac OS X that is targeted at a specific security threat. In fact, the only other targeting (of which I am aware) is the XProtect.plist file of malware definitions included in Mac OS X 10.6. The protection offered here remains limited. Back in 2009, the file included only two definitions: one each for RSPlug.A and iService. As of the current Mac OS X 10.6.7, the file has added definitions to protect against two further attacks: HellRTS and OpinionSpy.

Even in cases where the XProtect.plist file is of value, the protection is only against installing the software. The feature offers no way to remove malware after it has been installed. This is in apparent contrast to the upcoming Mac OS X update, which promises to “find and remove Mac Defender.” It will be interesting to see exactly how Mac OS X 10.6.8 implements this removal. Will it work via the XProtect.plist file or via some other mechanism?

This also has me wondering about Apple’s plans for the future. Is this response to Mac Defender a limited deal for Apple? Or does it now plan to regularly update Mac OS X to cope with the latest malware and virus attacks? My guess is that Apple will assess each threat on a case-by-case basis. Don’t expect an identical response from Apple to all future attacks.

The larger view

Overall, similar to what Rich Mogull argued here at Macworld, I consider Mac Defender to be a rather low risk threat. Most users will never confront any Mac Defender variant. And those that do will still need to be “tricked” by the software before they are in any real danger. At the same time (as I covered in a previous Bugs & Fixes column), you should remain suspicious of any and all unsolicited requests to install software or provide confidential information. This is not difficult to do and it doesn’t require any third-party software (such as Intego’s VirusBarrier). Being appropriately vigilant while recognizing that the risk of an “infection” is small are not inconsistent or mutually exclusive propositions.